Cyber underwriting is the hardest line in specialty insurance to systematize.
Risk profiles change faster than guidelines. New attack vectors emerge in months. Two submissions can look identical on the application and behave catastrophically differently in practice. Your seniors know the difference. Most of that knowledge doesn't exist on paper anywhere in your carrier.
Where we fit in your day.
Tacit is the judgment layer your AI agents and your team consult. It does not run the workflow. It surfaces what your practice would notice.
-
When you open a submission.
Your platform shows you the application, loss runs if any, the broker's narrative, the security questionnaire. You start working through it. Tacit is in the background, having already read the same submission, and surfaces — in a side panel or via an MCP-connected agent if your carrier has one deployed — what your team's senior cyber UWs would attend to on this kind of risk.
Not "here are 10 similar past submissions." Structured judgment:
tacit · structured judgment- Your team typically prices ransomware-exposed manufacturers in this revenue band at 0.85–1.10% of TIV. This submission sits at the edge — the multi-factor coverage on privileged accounts is partial.
- Senior UWs in your team have declined three submissions from this broker in the last 18 months citing inflated control claims. Confidence on broker's hardening narrative: low.
- The MFA-everywhere claim is not corroborated by the technical questionnaire response on legacy systems. Worth a clarifying question.
You decide. Tacit never decides. It surfaces what your practice would notice.
-
When you're stuck on a borderline case.
The submission doesn't cleanly fit your appetite. Normally you'd grab a senior for a quick consult, or escalate, or just sit with it. Tacit gives you the consultation without the interrupt: "Here's how three senior UWs in your team would think about this kind of risk, the cases in our practice graph that are closest, and where they diverge. Two of them would decline; one would bind with sub-limit on social engineering. Here's why each."
When you do escalate, you walk in with a structured starting point, not a blank request.
-
When you're training a new UW on your team.
The hardest part of bringing a new cyber UW up is teaching them to recognize what to attend to. Your seniors point at things in submissions and say "this matters" and the junior nods, but the pattern doesn't transfer in a meeting. Tacit's practice graph is the substrate for actual rehearsal: present new UWs with real anonymized cases from your portfolio, ask them what they'd do, show them what your senior team would do and why. The pattern transfers through reps, not through documentation.
-
When your CRO or compliance team asks about the AI you've deployed.
Carriers are starting to deploy AI agents into underwriting workflows. Submission triage, schedule extraction, draft binding recommendations. Regulators — MAS in Singapore, OJK in Indonesia, BoT in Thailand, Bank Negara in Malaysia — are tightening AI risk management requirements for financial institutions including insurers. Your CRO needs to demonstrate that AI-assisted decisions are grounded in your carrier's actual practice, not generic LLM judgment.
Tacit is what AI agents consult before they recommend. Every AI-assisted decision can be compared to your practice graph. The 90%+ that align go forward; the small percentage that diverge get flagged. This is the audit artifact regulators are looking for, designed to map directly to the frameworks (MAS AI Risk Management Guidelines, similar OJK / BoT / BNM guidance) that are coming into force.
-
When your senior UWs leave.
A senior cyber UW leaves your team. Three years of accumulated judgment about broker quality, control efficacy, threat-actor patterns, and your specific carrier's loss experience walks out the door. The next hire spends 18 months redeveloping it. Tacit captures that judgment in structured form before it leaves — not as documents, but as a practice graph your team can continue to consult.
What we're not.
A clean map of what we sit beside, what we don't do, and what we are not pretending to be.
We don't replace Guidewire, Duck Creek, your AMS, or your pricing platform. We sit beside them.
We don't generate text. We return structured judgment with attribution, confidence, and provenance.
We don't pretend the same model that does claims fraud detection should also do underwriting judgment capture.
We don't repackage your existing knowledge base. We capture how your team actually decides — from observed work, not interviews.
How it works.
-
Start with one decision domain.
We pick one — say, your team's mid-market cyber appetite. We observe how your senior UWs actually handle submissions in that domain: decisions, document interactions, peer consultations, override patterns. Not interviews.
-
Recover the structured signature of your practice.
Which cues drive which decisions, where your team converges, where they diverge from guidelines, where they diverge from each other. The cognitive signature is what we extract — not a transcript of what people say about their work.
-
Build a queryable practice graph.
Specific to your carrier's cyber book. AI agents consult it via MCP. Human UWs consult it via a side panel or dashboard. The graph is the substrate.
-
Return structured judgment, every time.
Recommendation, confidence (how strongly your practice supports this), alternatives (what the dissenting senior UW would do), decay (how current the supporting evidence is), and provenance (which senior UWs, on which submissions, with what evidence).
The methodology is grounded in two decades of cognitive science — Klein's recognition-primed decision-making, the van der Schaar lab's inverse decision modeling, active inference research from UCL. We didn't invent the science. We're the first to operationalize it for AI-augmented regulated decisions.